JP2012198910A - Authorization method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a standard scheme for management of and access to a user profile in a framework of a general-purpose user profile (GUP).SOLUTION: An entity includes to authorize an access to a plurality of data items related to at least a single user profile data component using a user profile including at least the single user profile data component and at least a single authorization data component based on the authorization data component. Where, the user profile is a GUP profile, the user profile data component is the GUP component, and the authorization data component is also the GUP component.

Description

  The present invention relates to an authorization method in a communication system.

  A communication system is a facility that allows communication between two or more entities, such as user terminal equipment and / or network entities, and other nodes associated with the communication system. The communication can include, for example, communication such as voice, electronic mail (E-mail), text message, data, and multimedia.

  Communication can be provided by a fixed line communication interface and / or a wireless communication interface. A feature of a wireless communication system is that the system provides mobility to its users. An example of a communication system that provides wireless communication is a public land mobile network (PLMN). An example of a fixed line system is the public switched telephone network (PSTN).

  Communication systems are generally based on a given standard or specification that defines which of the various elements of the system are authorized to perform and how the function of the elements must be achieved. Works. For example, a standard or specification may define whether a user, more precisely, a user equipment is equipped with a circuit switched server or a packet switched server, or both. The communication protocol and / or parameters to be used for the connection are also generally defined. For example, the manner in which communication is performed between the user equipment and the communication network is generally based on a predetermined communication protocol. That is, the specific series of “rules” on which the communication can be based needs to be defined to allow the user equipment to communicate via the communication system.

  The introduction of so-called third generation (3G) communication systems significantly increases the feasibility of accessing services on the Internet via mobile user equipment and other types of UEs.

  Various user equipments (UEs) such as computers (stationary or portable), mobile phones, personal digital assistants, organizers, etc. are known to those skilled in the art and used to access the Internet to obtain services be able to. A mobile user equipment, referred to as a mobile station, can be defined as a means that enables communication with other equipment, such as a base station or other entity of a mobile telecommunications network, over a wireless interface.

  As used herein, the term “service” should be understood to broadly cover what a user desires or requests, or any service or product provided. It should be understood that this term also covers the provision of free services. In particular, but not limited to, the term “service” should be understood to include Internet protocol multimedia IM services, conferencing, telephony, gaming, high quality calls, presence, e-commerce, and messaging such as instant messaging.

  The Third Generation Partnership Project (3GPP) defines a reference architecture for a universal mobile telecommunications system (UMTS) core network that provides users of user equipment (UE) access to these services. This UMTS core network is divided into three main domains. These are the circuit switched domain, the packet switched domain, and the Internet Protocol Multimedia (IM) domain.

  The IM domain ensures sufficient management of multimedia services. The IM domain corresponds to the Session Initiation Protocol (SIP) as developed by the Internet Engineering Task Force (IETF).

  In addition, there are multiple access technologies (GERAN: GSM / EDGE radio access network, UTRAN: universal terrestrial radio access network, and WLAN: radio local area network).

  Since 3GPP mobile systems and access technologies have multiple domains and multiple emerging services, general-purpose users to provide a conceptual description that enables standardized use of user-related information located in various entities A profile (GUP) has been developed. Examples of services include multimedia messaging (MMS), SMS, chat, telephony, games, browsing / web services, downloads, electronic commerce. This created a need for standard user profile management and access.

  GUP is also used in subscription management.

  Various aspects of GUP are defined in the 3GGP specification of TS 22.240, TS 23.240, TS 23.241, and TS 29.240. These materials are hereby incorporated by reference.

  However, the current definition for GUP does not provide authorization for every model. Because authorization has a legal aspect (privacy), it can be too complex for an operator and / or end user to easily manage.

  Accordingly, embodiments of the present invention aim to address these issues.

  According to one aspect of the present invention, an authorization method in a communication system comprising:

  A data component, a data group, comprising: using authorization data, wherein the authorization data refers to or is referenced by the other data to define an authorization associated with the other data , Or any one of the data elements is provided.

According to one aspect of the invention, a method for authorizing access to data in a communication system comprising:
Providing a user profile comprising at least one user profile data component and at least one authorization data component;
Referencing the other of the at least one authorization data component and the at least one user profile data component by one of at least one authorization data component and at least one user profile data component;
Authorizing access to data associated with at least one user profile data component based on the authorization data component.

  According to one aspect of the invention, an entity in a communication system, wherein authorization data is configured to be used, wherein the authorization data refers to the other data defining an authorization associated with other data. An entity that is one of a data component, a data group, or a data element is provided.

  According to one aspect of the invention, an entity in a communication system is configured to use a user profile that includes at least one user profile data component and at least one authorization data component, and at least One authorization data component and at least one user profile data component refer to another said at least one authorization data component and at least one user profile data component, and said entity is based on said authorization data component, at least An entity having means for authorizing access to data associated with one user profile data component is provided. .

  According to one aspect of the present invention, a method for authorizing access to data in a communication system comprising using at least one user profile data component and a user profile comprising at least one authorization data component; One of the at least one authorization data component and the at least one profile data component is configured to authorize access to data associated with the at least one user profile data component based on the authorization data component. A method is provided for referencing the other of the authorization data component and the at least one user profile data component.

Detailed Description of the Embodiments of the Invention

  For a further understanding of the present invention and how to carry out the present invention, reference is made to the accompanying drawings by way of example.

  Please refer to FIG. FIG. 1 schematically illustrates a system in which embodiments of the present invention can be implemented. The system includes user equipment 2. The user equipment can be in any suitable form, such as mobile or personal digital assistant (PDA), portable computer, laptop computer, stationary computer, or other suitable equipment such as mobile or It may be a fixed entity. The user equipment 2 is configured to communicate with a radio access network (RAN) 8 via a wireless connection. This wireless connection may be any suitable frequency, for example a radio frequency.

  The radio access network 8 generally comprises a base station entity (sometimes referred to as a Node B). In this document, the term base station is used, and this term is intended to cover any suitable entity. The radio access network 8 also includes a control element. This control element may be referred to as a radio network controller (RNC) in the case of a UMTS system and a base station controller (BSC) in the case of a GSM system. It is intended that the term control device is intended for any such control entity. In some configurations, the control function is provided separately from the base station function, and a single control entity can control multiple base stations. In other embodiments of the invention, each base station can incorporate some of the control functions. The radio access network is configured to communicate with the core network 10. The core network 10 shown in FIG. 1 is a packet-switched core network. Embodiments of the invention are also applicable to circuit switched core networks.

  The core network is switched at least one serving GPRS (General Packet Radio System) support node (SGSN) used to switch packet switched transactions, and at least where the core network 10 is connected to an external packet switch network. Contains one gateway GPRS support node (GGSN). In this example, the core network is connected to the IM subsystem 14. Although shown separately here, it can actually be part of the core network.

  The subscription manager SM11 is also shown in FIG. SM11 is shown connected to the core network and IM subsystem.

  Embodiments of the present invention have a wide range of applications and other services such as value-added services.

  Embodiments of the present invention have been described particularly in the context of third generation systems. However, it should be understood that the principles of embodiments of the present invention are applicable to any other suitable communication system.

  GUP was developed to provide a conceptual description that allows standardized use of user related information located in various entities. A GUP is a collection of user-related data, and the user-related data affects how individual users receive services in which an entity group shares the data. The GUP can be stored in a home network environment, and the storage can be extended to UEs and / or value added service provider devices. GUP is accessed by various stakeholders, and through standardized access mechanisms, one (centralized) or multiple (decentralized) interests such as users, subscribers, value-added service providers, network operators, etc. Managed by a person. The GUP profile allows for use within the network, i.e. data exchange between applications in the mobile operator network, and also for use between networks, i.e. data exchange between the mobile operator network and value-added service providers. Is possible.

  Please refer to FIG. FIG. 2 shows a conceptual diagram of the GUP. There is one user profile for each user characterized by IMSI (International Mobile Telephone Subscriber Identification Number) or IMS PID (Public Identity). The user profile can be composed of a plurality of “components” 20, 21 or 22. As shown in FIG. 2, components 21a and 21b are provided to the user equipment. Components 22a and 22b are provided in the value added service provider 16. The value-added service provider 16 may be part of the IMS system 14 or may be independent, for example. Components 20a-f are provided in the home network. The home network 18 generally corresponds to the core network 10 shown in FIG. 1, but may also incorporate RAN 8 in some embodiments of the invention. Thus, within a home network, components can be distributed to various network nodes.

  A component can include general user information such as components 20a and 20b, 21a and 22a. The data may also include service specific information such as components 20c, 20f, 21b, and 22b. The data can also include other components such as, for example, terminal related information such as components 20c and 20d. In the configuration shown in FIG. 2, there is one master of the component, but there may be one or more copies of the master component. For example, the component 21a is a master component, but is copied to the home network 18 as the component 20a, and is copied to the value added service provider 16 as the component 22a. Components 20b, 20c, and 20d are all master components. The component 22b is a master component having the component 20c of the home network 16 and the component 21b of the user equipment 2 that is a copy thereof. The component 20f is also a master component. In an embodiment of the present invention, the home operator can copy a master component located outside the home network to the home network. Within the home network, GUP components can be placed, thereby preventing the application from recognizing the actual location of the components.

  Please refer to FIG. FIG. 3 shows entities related to the processing of GUP. GUP provides a general-purpose mechanism for accessing and manipulating user-related data for suppliers and consumers. This mechanism allows data retrieval and management in a standardized manner.

  Data suppliers and consumers can be divided into the following groups: An application 30 at the UE 2; a home network application 32 at the home network 18; a third party application 34 at the value added service provider 16; and an OAM (operational management and maintenance) and subscription management application 36. The terminal application 30 is originally various, and can supply GUP data to the above-described data store or retrieve data for use in the application. Home network application 32 may include data related to call or session processing and messaging or web services. The third party application 34 is similar to an application in the home network. OAM and subscription management applications provide management of user data by network operators.

  Please refer to FIG. FIG. 4 shows an example of a standard GUP architecture incorporating an embodiment of the present invention. Applications 40 (including terminal application 30, home network application 32, third party application 34, and OAM and subscription management application 36) are connected to GUP server 42. A GUP server is a functional entity that provides a single access point to GUP data for a particular subscriber. In the configuration shown in FIG. 4, there is a separate authorization server and / or authorization data repository 44.

  Embodiments of the present invention can be implemented in two different ways. In one embodiment, server 44 is omitted. The GUP server 42 further provides an authorization server function. The authorization data repository can reside in the server 42 or an independent data repository. In other embodiments of the present invention, as shown in FIG. 4, there is an independent server that provides authorization server functionality and / or is an authorization data repository. That is, the authorization decision can be made by the server 44 or the entity 44 can simply be a repository for authorization related data.

  FIG. 4 also shows repository access function units 46, 47 and 48. The repository access function unit RAF (Repository Access Function) realizes a standardized access interface. It hides the implementation details of the data repository from the GUP infrastructure. RAF performs protocol and data conversion as needed. Data repositories 50 and 52 are associated with RAFs 46 and 47, respectively. RAF 48 is associated with server or entity 44. The data repository stores a primary copy of one or more GUP profile components. The RAF associated with a particular data repository provides standardized access to the data repository. In the configuration shown in FIG. 4, the data repository and associated RAF store authorization data. The authorization data can be provided to the server 42 or other suitable entity. For example, data is provided to an application that must be authorized by some means to provide an operator application that can access the authorization data. Other data can be included in the same data repository as authorization data, as described below.

  In the embodiment shown in FIG. 4, the authorization request is sent directly from the GUP server 42 to the entity or server 44, and a response to the request can be sent to the GUP server. This RAF 48 can be bypassed.

  Please refer to FIG. FIG. 5 shows an example of the mapping of the GUP reference architecture of FIG. 4 to the current infrastructure environment. Each of the applications 30, 32, and 34 has a connection to the GUP server 42. According to embodiments of the present invention, the GUP server can connect to the authorization server and / or authorization data repository 44 of FIG.

RAFs 54, 56, 58 and 60 are as follows.
RAF 54 provides access to a data repository for user equipment 62.
RAF 56 provides access to data repository 64 for HPLMN (Home PLMN) such as HSS (Home Subscription Server), HLR (Home Location Register), VLR (Visitor Location Register), and PPR (Privacy Profile Register). provide.
RAF 58 provides access to a data repository 66 for an application server, such as an IMS application server.
RAF 60 provides access to data repository 68 for management server CRM (customer relationship management) and the like.
Authorization data may be stored in one or more of these data repositories 62-68.

  Please refer to FIG. FIG. 6 shows the GUP information model.

  The generic user profile 80 includes a plurality of independent GUP components 82. GUP components can include (ie, reference) other GUP components. Thereby, for example, data can be reused. The GUP component 82 has a unique identifier in the generic user profile and can be retrieved via one RAF. In addition to the component type, the component identifier includes a subscriber identifier or more generic identification information that depends on the type of component used. A GUP component can consist of multiple GUP components, data element groups and / or data elements.

  The GUP component includes zero or more data element groups 86. The data element group includes inseparable data elements and / or data element groups. Depending on the required data element group, a deeper hierarchical structure can be achieved. The lowest hierarchical level data element group includes one or more data elements 88. Data element groups within a GUP component may be of the same or different types. In some implementations of the invention, the GUP component may include zero or more data elements that do not have a data element group. A GUP component shall have at least one GUP component, data element group, or data element.

  The composite data type 90 is used to define the configuration of the entire GUP component. The configuration includes a definition of what data element group is and / or a definition of which data element belongs to the defined GUP component, and a definition of the type of data and the value of that data.

  Please refer to FIG. FIG. 7 shows how an authorization component can be adapted to a generic user profile (GUP). The generic user profile 80 is shown as having an authorization component 92 (which is a GUP component), a first GUP component 82a, and a second GUP component 82b. The authorization component 92 can include a data element group 86 that includes a first data element 88a and a second data element 88b. Alternatively, the authorization component 92 can include a data element 88c.

  The second GUP component 82a is shown to include two data elements 88d and 88e.

  The second GUP component is shown having an authorization component 94. This authorization component has a data element group or data element. A data element group 86b is also shown. Data element group 86b includes a data element group 86c that includes two data elements 88f and 88g. Alternatively or additionally, the data element group 86b can include a data element 88h. The GUP component 82b is also shown to include a further component 82c. That is, authorization components provided by embodiments of the present invention can include GUP components, data element groups, and / or data elements.

  GUP authorization data is considered to be an independent GUP component that can be referenced by user profile data or GUP components. This allows the same capability to be used to manage authorization data with respect to other user profile data. Authorization data is completely independent of actual data, and authorization models and rules can be developed independently. Embodiments of the present invention can refer to any GUP data item in the authorization data (eg, subscriber language or default for receiving push-type communications) and grant authorization for its use It is. Rules can be coarse or fine and are prepared to the required level of accuracy.

  The authorization data model used in embodiments of the present invention can provide authorization data for complex user profile information. This is necessary, for example, when determining whether a data item can be provided when requested by some entity. Authorization can be done for very different chunks of data, different implementations, and configurations. Embodiments of the invention can accommodate these variations.

  Embodiments of the present invention have the advantage that a generic and common solution can be applied to the various data that are authorized. This advantage is suitable for different types of implementations and implementation architectures. Management of authorization data can be handled by the GUP with respect to other GUP-specific data and separately from the authorized data. It is easier to give different entities different access to manage authorization data than to manage the actual data that is authorized. Similar user interfaces and management applications can be used for other GUP data. Embodiments of the present invention are data independent. That is, there is no need to change the existing data format or data storage structure with the authorization data. The same authorization settings can be used for different data.

  Embodiments of the invention can also be position independent. It can be in a separate server dedicated to storing authorization data, in authorized data, or in a server that handles authorization on behalf of the actual data storage.

  As described above, the GUP authorization data model is such that authorization-related data is viewed as an independent GUP component, referred to as an authorization component. Similar to an actual user profile or other GUP component used to describe actual generic data.

  In an embodiment of the present invention, the same mechanism, i.e., procedures such as create, modify, delete, query, similar component identifiers, and the same management interface are used to manage authorization data with respect to other user profile data. Can do. This allows user data to be considered part of the entire user profile as the case may be.

  As mentioned above, authorization data is not strongly tied to authorized data. Authorization data can be present at any location based on implementation requirements, for example, in a separate privacy register or in a GUP server. The authorization component allows the authorization data to be defined to be user specific or common to multiple users. The authorization component allows authorization data to be common to all user profile components or common to all users of a particular component type.

  The authorization component can be used to describe the authorization rules for the authorization data itself, i.e. who is allowed to change the authorization rules. The authorization component can be used to describe data delivery and usage policies such as retention time, further disclosure rules, etc. to communicate actual data to the data requester. The authorization component can describe default authorization settings before user-specific settings exist or user-specific settings are created.

The following types of authorization data can be specified:
• Target subscriber (or group of subscribers) identifier—GUP subscriber • Component type and more detailed data reference • Requester (application ID and end user ID) or requester group identifier • As an authorization assertion in the request Other requester related data received • Authorized operations (query, modify, create, delete, subscribe)
・ Attributes specific to the privacy policy (the privacy policy is included in the request)
・ Other attributes related to the request case (eg time schedule)
・ Operation (eg, judgment, encapsulation of privacy policy, etc.)

  An authorization component can reference any element in the GUP information model. This allows authorization settings for different levels and data hierarchies depending on the case and need. Thus, in an embodiment of the invention, the GUP defines the authorization component like any other GUP component. This means that the same capabilities (eg, identifiers and configurations) as other GUP components apply to the authorization component. An authorization component can reference any element of the GUP information model and define authorization for those elements. The authorization component may be subscriber specific and may be common to multiple subscribers and / or elements of the GUP information model. Any GUP component can contain additional data items that are used for authorization (eg, by RAF), but they are considered part of the data specific to a particular GUP component. Therefore, it is not part of the general-purpose authorization specified by GUP.

  In an embodiment of the present invention, there is a GUP function that serves to authorize an application for accessing GUP data based on user-specific or common privacy rules. All attempts to access GUP data are based on the requester information, the requested data, the target subscriber, and the operation being performed, or a defined policy that must include some of them, Authorized. A GUP data structure needs to meet the requirements for providing authorization information such as profiles, components, or data elements to different levels. In addition to the generic authorization data, additional service specific data can be defined (eg, for LCS). The same applies to the authorization determination logic. Execution of the authorization logic provides a determination of whether the requestor has been authorized to make the request, and in some cases, depending on the nature of the request, the requester has appropriate access rights to which part of the data. Will be judged. GUP provides a mechanism for managing authorization data to various GUP entities.

  Both HPLMN based applications and non-HPLMN based applications are expected to send requests to the GUP server. The GUP server must have the capability to provide different authorization criteria, policy control, and load control to HPLMN and HPLMN applications.

  In addition to the authorization component, any GUP component that represents actual profile data can have additional items in the data used locally for authorization, eg, by RAF, but those items are As part of the data that is specific to a particular GUP component. These authorization settings can only be translated by entities with good information on semantic data. For example, specific service profile data (within one GUP component) has an address (eg, URL) defined in that data, and an access control field that indicates how this address is accessed and distributed. be able to. The processing of this special privacy field is specific to this particular service and cannot be handled by the generic GUP function, so decisions based on this access control must be close to the repository that provides this service. I must.

  As shown in FIG. 2, the GUP server may include an authorization component that is referenced in the user profile, either user specific or common. The GUP server makes an authorization decision based on the authorization component.

  Alternatively or additionally, RAF functions and data repositories can play a similar role as GUP servers, but are based on authorization components based on GUP components processed by RAF.

  Alternatively or additionally, the RAF and / or GUP server can access the authorization component associated with the GUP request. The authorization component can reside in a GUP server, in a GUP data repository, or in a separate server dedicated to authorization. The GUP server handles authorization based on the authorization component, and the RAF handles authorization locally in the associated data repository. Similarly, the RAF can grant authorization based on an authorization component (a component described below).

  If there is an independent authorization server and authorization requests and corresponding response messages can be sent between the GUP server and the authorization server, the authorization data can be manipulated like any other GUP component, and the authorization itself This is usually an internal function in the GUP server.

  Please refer to FIG. FIG. 8 shows an example of signaling in an embodiment of the present invention using an authorization server.

  In step S1, the application 40 transmits a GUP request S1 to the GUP server 42. The GUP server 42 authenticates the application.

  In step S <b> 2, the GUP server transmits an authorization request to the authorization server 44. This is through the direct connection shown in FIG. In step S3, the authorization server 44 transmits an authorization response according to the same connection.

  In step S5, GUP server 42 makes a GUP data element request from the appropriate RAF, but may be any of the RAFs shown in FIG. The associated RAF returns the GUP data element to the GUP server 42 in step S6. It should be understood that the RAF retrieves the requested GUP data element from the associated GUP data repository. Accordingly, the RAF requests the appropriate data element from the GUP data repository, and the GUP data repository returns the requested GUP data element to the RAF. This is not shown in FIG. 8, but is performed between steps S5 and S6.

  When multiple data elements are requested, the required data elements are requested sequentially in an embodiment of the invention.

  In step S7, the GUP server 42 distributes the requested GUP data. This can target GUP servers that make up GUP components from acquired data elements.

  It should be understood that in some embodiments of the invention, the functionality provided by authorization server 44 may be provided by a GUP server or other suitable entity.

  Thus, embodiments of the present invention can have components that are deep in the profile configuration, for example, one component can again refer to a lower component (such as a lower component if possible). It is possible to refer to components. Components include authorization components as needed but not always.

1 schematically illustrates a system that can implement embodiments of the present invention. A conceptual diagram of GUP is shown. Indicates the range of GUP. 1 illustrates a GUP reference architecture incorporating an embodiment of the present invention. Fig. 4 illustrates an example for mapping a GUP reference architecture incorporating an embodiment of the present invention to a current infrastructure environment. The basic composition of GUP is shown. 4 shows an example of the configuration of an authorization data component into a generic user profile in an embodiment of the invention. Fig. 4 illustrates signaling in one embodiment of the present invention.

Claims (2)

A GUP server sends a request for GUP data to a plurality of repository access function units, where the GUP data has a plurality of parts, and at least one of the plurality of parts includes a data component, a data group, and a data element. Any one of the plurality of parts of the GUP data is authorization data for referring to the GUP data, and the authorization data is independent of at least one of the plurality of parts. And the authorization data is common to a plurality of users of a certain part of the profile, and each of the plurality of repository access function units has various kinds of GUP data stored in corresponding ones of a plurality of repositories. Said transmitting configured to access a portion;
The GUP server receives a response including the data having an access right authorized by a requester from at least one of the plurality of repository access function units, provided that the authorization is the plurality of repository access function units. Receiving based on the authorization data stored in a corresponding one of the plurality of repositories accessed by any one or more of:
After receiving the response including the GUP data, the GUP server sends the GUP data to the requester;
Including a method. A device comprising a transmitter provided in a GUP server and a receiver provided in the GUP server,
The transmission unit is configured to transmit a request for GUP data to a plurality of repository access function units, wherein the GUP data has a plurality of parts, and at least one of the plurality of parts includes a data component, data One of the plurality of portions of the GUP data is authorization data that refers to the GUP data, and the transmission unit also includes the GUP data After receiving the response, the GUP data is configured to be transmitted to the requester, and each of the plurality of repository access function units is configured to send various information of the GUP data stored in a corresponding one of the plurality of repositories. Configured to access the part,
The receiving unit is configured to receive a response including the data having the access right to which the requester is authorized from at least one of the plurality of repository access function units, wherein the authorization is the plurality of the plurality of repository access function units. Defined based on the authorization data stored in any one of the plurality of repositories accessed by any one or more of the repository access functional units,
The authorization data is independent of at least one of the plurality of portions, and the authorization data is common to a plurality of users of a portion of the profile;
apparatus.

Images